开发者

unescaping javascript in rails .rb file / returning js in ruby methods

问答 作者:

I have the following js (in a string literal) returned in one of my plugin's 开发者_开发问答methods. So when I call the method it puts this in my view. The problem is on the website, all the <, ", ', > etc are escaped into &lt;, &quot; and whatnot. How can I do this? I've tried various ways but none seem to work :/ I think this plugin may be kind of old so this was possible in earlier versions of Rails...

%Q{<script type="text/javascript">
    $(function() {
        $('#{table_dom_id}').dataTable({
          "oLanguage": {
            "sSearch": "#{search_label}",
            #{"'sZeroRecords': '#{no_records_message}'," if no_records_message}
            "sProcessing": '#{processing}'
          },
          "sPaginationType": "full_numbers",
          "iDisplayLength": #{per_page},
          "bProcessing": true,
          "bServerSide": #{server_side},
          "bLengthChange": false,
          "bStateSave": #{persist_state},
          "bFilter": #{search},
          "bAutoWidth": #{auto_width},
          #{"'aaSorting': [#{sort_by}]," if sort_by}
          #{"'sAjaxSource': '#{ajax_source}'," if ajax_source}
          "aoColumns": [
                #{formatted_columns(columns)}
                    ],
            #{"'fnRowCallback': function( nRow, aData, iDisplayIndex ) { #{row_callback} }," if row_callback}
          "fnServerData": function ( sSource, aoData, fnCallback ) {
            aoData.push( #{additional_data_string} );
            $.getJSON( sSource, aoData, function (json) {
                    fnCallback(json);
                } );
          }
        })#{append};
    });
    </script>}

Any help is appreciated, thanks!

This gets asked pretty often. You need to tell Rails not to escape the string one of two ways:

  1. <%= 'string'.html_safe %>
  2. <%= raw 'string' %>

The first is preferred in most cases since it's more flexible. You can, for instance, mark the string as HTML-Safe when it is defined, then if something modifies it it'll automatically be marked as unsafe. This is good to avoid accidentally opening yourself up to an exploit.

However, it would be a better idea to move that code into a view of some sort. You should avoid having output in your methods. In the case of helpers, limited output code is best (usually just snippets).

Rails automatically escapes html to prevent from XSS attacks. You've got two options:

# Provided that my_escaped_string is what you want to display
<%= my_escaped_string.html_safe %>
<%= raw my_escaped_string %>

You can also use html_safe in any method as well.

继续阅读:javascriptruby-on-rails

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9